Server Intrusion: Quick Fixes & What To Do
Nov 7, 2008server intrusion: quick fixes
View 12 Repliesserver intrusion: quick fixes
View 12 RepliesOver the past week, the SMTP server on my VPS has been hanging whenever I try to send an email from my computer. It'll eventually work again, but now it's been down for the count for about 18 hours. Tech support keeps on recommending minor fxes and issuing standard responses like "try disanbling your firewall" and the like, but nothing works. I have already told them this:
* I know _you_ can probably send POP/SMTP mail through my server. I can't.
* Mozilla Thunderbird will connect and send mail through other
POP/SMTP servers.. Not my server here.
* I can connect to _receive_ email, but I can't send it.
* My ISP (SBC/AT&T ADSL) does not block outgoing mail to port 25 on my account; I had the block removed.
* I've got an exim server running on port 26, too. Doesn't make a difference.
* I tried connecting from another ISP (my work PC). Still can't send mail.
* I tried using IP addresses instead of my domain name. Doesn't work.
* I didn't change any account names, passwords or anything like that.
* I tried other email clients. Can't send mail with them, either.
* The exim queue has very few messages in it. Clearing the queue didn't work.
* I disabled firewalls. Didn't help. Besides, I was able to connect
to other mail servers - just not my VPS here.
* There are no typos in any of the account or general configuration settings in my client. Nothing changed. One day I could send mail, now I'm having problems.
I keep saying this, and keep attaching entried from exim_mainlog with error messages like this PROVING that I can't send mail:
2007-02-01 08:26:00 H=adsl*****
[*****]:1294 I=[*****]:25 incomplete transaction
(connection lost) from for
*****@gmail.com
2007-02-01 08:26:00 unexpected disconnection while reading SMTP
command from adsl*****
[*****]:1294 I=[*****]:25
2007-02-01 08:26:17 SMTP connection from [*****]:1344
I=[*****]:25 (TCP/IP connection count = 1)
2007-02-01 08:29:34 H=adsl*****
[*****]:1344 I=[*****]:25 incomplete transaction
(connection lost) from for
*****@gmail.com
2007-02-01 08:29:34 unexpected disconnection while reading SMTP
command from adsl*****
[*****]:1344 I=[*****]:25
Any ideas? I think tech support at my end has given up; it's been hours since I last heard from them, and that was just to say that they updated everything to the current version, and disable the firewall. (Again!) Didn't work.
So, before I pack my bags and find another VPS host, what should I do? Having outgoing SMTP email is a MUST; not having it is a deal-breaker.
I'm about to purchase a 2nd server to be used as a database/app server alongside my current server (of which will be the web server).
I wish to use 2 x 146GB 10K SCSI hard disks (in RAID 1) on the database server, but will be keeping 2 x 320GB SATAII 16M in RAID 1 on the web server. Will the SATA hard disks affect the performance / effectiveness of the SCSI disks or will I benefit from SCSI even though they're only in the database server?
Also, I'm going for 10K hard disks over 15K because they $20 per month cheaper and it's already expensive ($150 p/m for the two 10K or $170 p/m for 2 x 15k). Taking into account the already hefty price, is it worth the extra for 15K?
I have recently been using snort but I need something ideally graphically based so that it is easy to use and find your way around.
Can anyone recommend an IDS product that has a GUI?
I downloaded the tripwire version 2.4.1.1 but after the installation the /etc/tripwire/twinstall.sh file is not generated after the installation. I checked the contents of the RPM I downloaded and the script is not there.
How can I prepare the cfg file without this script?
[root@user]# rpm -qpl tripwire-2.4.1.1-1.i386.rpm
/etc/cron.daily/tripwire-check
/etc/tripwire
/etc/tripwire/twcfg.txt
/etc/tripwire/twpol.txt
/usr/sbin/siggen
/usr/sbin/tripwire
/usr/sbin/tripwire-setup-keyfiles
/usr/sbin/twadmin
/usr/sbin/twprint
/usr/share/doc/tripwire-2.4.1.1
/usr/share/doc/tripwire-2.4.1.1/COMMERCIAL
/usr/share/doc/tripwire-2.4.1.1/COPYING
/usr/share/doc/tripwire-2.4.1.1/ChangeLog
/usr/share/doc/tripwire-2.4.1.1/License-Issues
/usr/share/doc/tripwire-2.4.1.1/README.Fedora
/usr/share/doc/tripwire-2.4.1.1/TRADEMARK
/usr/share/doc/tripwire-2.4.1.1/policyguide.txt
/usr/share/doc/tripwire-2.4.1.1/tripwire.gif
/usr/share/man/man4/twconfig.4.gz
/usr/share/man/man4/twpolicy.4.gz
/usr/share/man/man5/twfiles.5.gz
/usr/share/man/man8/siggen.8.gz
/usr/share/man/man8/tripwire.8.gz
/usr/share/man/man8/twadmin.8.gz
/usr/share/man/man8/twintro.8.gz
/usr/share/man/man8/twprint.8.gz
/var/lib/tripwire
/var/lib/tripwire/report
Is there a tool for intrusion detection where a central machine is responsible for requesting clients for file and directory information and reporting changes?
Do you know of any open source package preferable are available for RHEL4 and 5?
I`ve read this about allowing certain IPs access to the server
Quote:
More advanced: /etc/apf/allow_hosts.rules
10. As a safety precaution, you might want to add your ip to the '/etc/apf/allow_hosts.rules' file.
Open the file in your favorite editor.
11. Add the ip of your computer to the end of the file. This will cause all traffic to and from that ip not to be filtered. You can also add the ip's of other servers.
If you want to specify what kind of traffic to allow from those ips that is not covered with the current firewall rules (ie. you blocked all traffic to SSH and only want a few ips to be able to access the SSH port), then this is the format you would use:
Protocol : direction/flow : source/destination port : s/d ip
[tcp/udp] : [in/out] : [s=/d=]PORT : [s=/d=]IP
Ex (let the ip 192.168.0.100 access to port 22):
tcp:in:d=22: s=192.168.0.100
What I`d like to know is if its possible to put an IP range in there instead of just one ip address
such as you specify a range in the conf.apf file upon setup
eg:
tcp:in:d=99_123: s=192.168.0.100
where 99_123 is the port range
I am building a server using two Clovertown E5320 processors for a project. I need some suggestions for a motherboard and memory. I have looked at some boards on Newegg, but I'm still unsure. I do not have a large budget for the motherboard, so the cheaper, the better.
If anyone has other processors they would go with alternatively I'm open to suggestions there as well. It was either going to be a single Clovertown (later to be two) or two AMD Opteron 2212's....
I find it worrying when new or relatively new users post "[XYZ]VPS PROVIDER IS A SCAM" or "[XYZ]VPS ROBBED ME" in a topic because they didn't get the instant ticket response or fast enough setup time on their $10 VPS..
I'm planning on setting up a budget UK based VPS service myself some time soon, and users would do well to remember that a lot of hard work goes in to the management and set up of such providers. This kind of negative publicity can not be taken back once posted. A quick google search will throw this kind of a post up and cause irrepairable and often, completely unnecessary harm to a business..
Quick IPTables Commands
List: iptables -L -n | grep <IP Address>
Remove: iptables -D INPUT -s <IP 1> -d <IP 2> -j DROP
Insert: iptables -I INPUT -s <IP> -j DROP
Flush: iptables -F
Remove: iptables -D OUTPUT -s 0.0.0.0/0 -d 66.93.33.185 -j DROP
netstat -nap | grep :80 | wc –l (shows # of connections to HTTP)
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n (shows total connections per IP, if more than 100 block)
I currently switched from XXX to infinitie.net vps service. I was tired of foreign help dealing with people with poor english. Tech support has been very good, and good response times. Servers themselves have good performance. Not the fastest, but the mysql performance has been very good. It's also nice to have a VPS but setup and stuff can be somewhat intimidating. They were very helpful, but I did opt to pay them a small fee to do it for me. The hourly rates aren't a bargain, but when you factor in the time you would need to do it right, if you are just so-so at it, then it was probably worth it.
So far it's only a week, but it's been a happy week. No downtime at all so far. I'll report to you in a month and tell you how things are going.
During the past 24 hours, two things have happened with iMountain.com that I wanted to let you all know about.
1. I uncovered a bug in the Webshell application that they use (bundled with Hsphere) which was preventing me from gzipping up my and my buddy's owsweather.com site for weekly backups. Reported it in an email, and in 2 minutes I had a reply back saying that they would notify Hsphere of the issue since it's a bug in the software. Good job there.
2. The big one is that the same owsweather.com site is getting clobbered by HUGE amounts of traffic - more than we ever have in our 8 year history. We have received over 2500 unique IP visits since midnight (it is now 5 minutes until 6:00 am PDT in California).
I must give major props to iMountain for building rock solid servers which don't bog down under high traffic load, and also for allowing us to "use" their servers for what they are INTENDED to be used for! If it wasn't for them and allowing our site to have bursts of traffic like this *see Dreamhost, Bluehost, and other similar reviews*, we would be in a very tight spot indeed. So thanks Brandon and crew. You have done us well.
I recently changed providers after a short search, including input from this thread [url].
I opted to go with a semi-dedicated package from Iron Mountain ( www.imountain.com ). I was mostly impressed with their clustered solution and dedicated mySQL servers to host our increasingly busy Vbulletin forums. They also answered email inquires very quickly; another good sign, given the few comments I could find about them at WHT.
While I was intrigued about the solar-powered claim, I knew that many in our community would appreciate that aspect as well.
Ultimately, I wasn't quite convinced our forum issues were mainly related to CPU/memory resource use. So, I narrowed my search to providers that also claimed to have a good setup for SQL. These included Cartika Hosting and MediaLayer, among others (Thank you to all who responded with input and offers!). At that point, it came down to lowest price and iMountain's offer was also in the upper end of the price range supported by recent member donations. In case I was wrong about the CPU resources, at least this would at least allow some time to save for the dedicated solution that many recommended.
As it turns out, the CPU/memory resources were not the issue at all. It seems that our forum issues at the previous provider were primarily due to their SQL implementation.
In fact, they were going to generously allow us to continue on our $50/year plan for a while given that we weren't yet hogging resources. Nonetheless, the slowdowns and SQL errors continued until the last day. In any case, I can still recommend AddAction.net for anyone looking for a competitively priced basic hosting package if you don't have major SQL requirements. It was inexpensive, but I believe I got a lot more than I paid for.
Since the switch, the forums have been running great. No slowdowns, no freezes, no infinite waits to read/make a post, no flood of SQL error email messages. Most importantly, no user complaints so far. In addition, I've been told that we aren't even putting a scratch in our resource allocations in any area and there should be plenty of room for growth that has been doubling about every 6 months for the last few years.
The transfer was quick and the switchover had minimal downtime given that the new plan included a dedicated IP address for me to direct users of the forums during the DNS propagation. There were a couple minor issues during the switch, but their tech support team responded very quickly. They also helped setup a memcache for the forums and suggested some other tweaks to further improve performance.
Overall, I am very satisfied so far. I'll report again in a couple months when I have a better feel for downtime and more time for users to comment.
We've recently decided to move a sizable web project to a VPS located at bigvps.com (colo4jax). Although I had some initial concerns about them being single homed to Cogent, I have actually been pleasantly surprised at the speeds of the network. I have seen some very good speeds to some of my key servers located on the West Coast and even better on the East Coast (expected). For grins, we even tested a proprietary voip software between the datacenter (It's in Jacksonville) to one of our offices in San Francisco. It was perfect!
The hardware seems solid and support has been quick to respond to any inquiries.
Although we havent moved over the web project yet, the work we have done on the server has been no problem at all. We expect that when we move over the web project, the VPS will continue to hum along.
As with all providers, it's been a short life with them thus far - I'll post back in a few months and let you know how things progress.
I'm a non-techie trying to choose a dedicated hoster. From searching through reviews and prices, I've come down to Lunar Pages or Liquid Web. Would you please give me your opinions of these two, and if there are others that you feel strongly about instead, mention those as well? I would really appreciate it -- I'm very anxious about choosing a reliable company with good service, b/c I'll pretty much be at their mercy! (Life is hard for the non-technical
My programmer gave me these requirements: managed hosting, windows server 2003 or 2008, web edition, 2 GB ram, ms sql server 2005 or above, quad core processor from 1.8 - 2.4 ghz, firewall, automatic backup -- 10 GB, remote desktop connection.
I've been a long time reader but I figured I would finally sign up for an account and post a review of my current VPS host, WingSix.com.
Ratings range: 0-10
0 being the worse and 10 being the best
Uptime: 7/10
The uptime has been pretty good. Over the course of six months I had about 1 hour of downtime due to a hardware failure but over the last month I have had nearly 20 hours of downtime due to unexplained outages and migration issues.
Support: 4/10
The support has been horrendous. My average response to tickets is measured in days, if they respond at all, and I still have tickets opened from when I initially ordered the account relating to creeping file corruption which support just dances around. I have also had my IPs changed and server moved twice in the last month with little to no advance notice. Usually nothing actually gets done until I call them and even then it's a crapshoot.
Performance: 9/10
The performance on the server is excellent. The server is primarily a DNS and Mail host for my domains and, so far, I have had no problems with the speed or responsiveness of the service. Take this rating with a grain of salt, however, because I have never done much that would put an incredible load on the server.
Price: 8/10
Their pricing is fairly competitive with other hosts I have looked at. I am currently on their VPS Hawk plan ($25/mo) which offers:
2 dedicated IPs
15 GB storage
400k inodes
100 GB bandwidth
256 MB RAM / 1GB burstable
CPanel
Conclusion
While the uptime, price and performance are good I am hesitant on recommending them to anyone based on my experience thus far with their support
My domain has been reported to the mods.
I another thread recently I done a 5 year review for another provider hover circumstance changed and I took on a couple of Gigenet servers ( relatively high end)
Sales were extremely efficient working with me to achieve what I needed at a price I was comfortable with, replies were fast and concise so I ended up with 2 new machines and backup service.
Normally I don't need a lot of support and for the first few weeks nothing bar rDNS set ups - However I ran into some serious post migration issues over the past few days that had me stumped, support has been some of the best I have ever received both in speed and efficiency -
Anyway I sincerely hope I will be coming back to this thread in 5 years time to update it.
There's a new Wordpress out, so it's a good time to make sure you have any/all wordpress installs updated.
Running this will find versions for every one installed in /home/
Code:
find /home/ -type d -name wp-includes -exec grep -H wp_version {}/version.php ;
The latest version is now 2.0.6
I need a quicker way to find spammers. I've found a decent way to find the scripts, but I want to find heavy offenders by a simple command line or something to identify all scripts sending e-mail in let's say a text document or something.
View 2 Replies View RelatedWe've been experiencing a lot of trouble with novice customers that want to install an Application Vault package that has sub-optimal default settings, e.g.
customer wants to install wordpress, clicks on Application Vault -> wordpress -> "INSTALL"
This will install, without any questions for settings, wordpress into domain.com/wordpress - which is not what people want. I know that there is a button with teh drop down menu that shows "custom", however, people don't see/know about it and click "install".
Is there a way to remove / replace the "quick install" button and have the "install custom" as default.
This can be adapted to other operating systems, for the scope of this tutorial it will be designed for Redhat enterprise / Centos ....
View 0 Replies View RelatedI've got a VPS which is serving as the main server for a number of sites. Web Server, SSH Server, and Mail Server.
What I've got running:
Apache2, PHP5, MySQL5, Dovecot, Postfix
One of the sites is a growing forum with a MASSIVE photo album. This is the site where I notice the most slowness.
Changing the server software is not an option - Only optimization.
Quote:
Originally Posted by httpd.conf
ServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 300
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 5
<IfModule prefork.c>
StartServers 8
MinSpareServers 8
MaxSpareServers 13
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 50
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
Listen 80
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
Include conf.d/*.conf
User apache
Group apache
Quote:
Originally Posted by my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
[mysql.server]
user=mysql
basedir=/var/lib
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
I looked a lot - can not find solution ....
I want to transfer a file from [url]to [url]or [url]Without it will pass my localcomputer (slow upload)
It can be also a script i will install like this one - this is only for images
[url](remote)
I have Plesk 11.5 (service provider mode) on a Windows 2008 server IIS7.Most of my sites are developed in .asp and therefore i use a custom 500-100.asp error page that check s the IP of the visitor then displays either a friendly error, or if its my IP a full error of what has happened (it also emails me the error). This allows me to debug pages easily whilst developing and to keep an eye on anyone trying SQL Injection hacks on my sites (as the error and email also have session variables and IP address).I dont have root access to the server as it is a Webfusion dedicated server.I have following the Plesk documentation -
1) Switch on custom errors for the subscription
2) Look in virtual directories and navigate to error documents
3) Find the error in question (500:100) and change it to point at either a file or URL
FILE - I had the data centre add in the 500-100.asp error page in to the virtual template so that my page is available in the list of virtual files - this didn't work but that maybe because its not a static page??
URL - when i add the path it says its incorrect, if i add a fully qualified address, it accepts it but it doesn't work.give me a specific example of the URL that can be entered relative to the root as the format in the documentation isn't accepted. The last step is to restart IIS which is also an issue as i cant seem to do this from the Plesk panel..It is as if it isn't catching the 500:100 error, and only catching the general 500 error??
I am currently running Google Analytics/Urchin 5 (v5.7.02), on a server, the server has started to act up, (on its last legs etc) and now I am trying to transfer the Urchin Software to a new server, where it would work effectively.
However upon installing the urchin software on the new server and running it (localhost:9999), I am presented with An Action Items Page, and these following choices
Obtain Demo License
Buy License
Activate Pre-Purchased License
I choose ‘Activate Pre-Purchased License’ pop in the Serial number and complete the registration then…
---------------------------------------------------------
Urchin Licensing Center -- Error!
An error has occured during your transaction, please use the back button and correct the problem. The specific error message is:
• Unable to generate a license. Some possible reasons:
Your serial code is currently active <<< How do I disable it and use it on another server?
---------------------------------------------------------
So all I want to do is deactivate the serial and reactivate it on another server.
Does anyone have experience with this or a similar problem or have a solution to this problem. Any help be most appriciated.
Or even a Contact Number so that i can get some one over the phone!
This is the scenario, domain.com are setup on server1, however server2 also has the same profile of domain.com as we use ns3 and ns4 using domain.com. This works fine with the nameserver setup on server2.
However I encounter problems as the emails from server2 won't reach server1 as there are duplicate profile on server2.
My question is how do I setup the DNS in cpanel/whm from server2 so the emails from server2 will reach server1?
Server1 (www.domain.com)
ns1.domain.com
ns2.domain.com
Server2
ns3.domain.com
ns4.domain.com
I just want to use a server for file sharing, it will have nginx and that's it. I'm looking at centos, or freebsd, but I been using centos forever now and I'm not sure how to use freebsd, should I just stay with centos?
Do I tell my hosting provider to just install the OS and give me ssh action and that's it? Don't install any control panels or any other stuff? I want one domain and one subdomain on it though and ftp action.
Remote Spamassassin for Multiple Smartermail Server
I want to setup Remote Spamassassin(On Linux) for Multiple Smartermail servers. I want to the setup the spamassassin on a linux box
How i can setup this with multiple smartermail servers.
what is the fast and best way?
View 4 Replies View Related